Kerberos is a network authentication system which allows clients andservers to authenticate to each other through use of symmetric encryptionand a trusted third party, the KDC.

A flaw was found in the username handling of the MIT krb5 telnet daemon(telnetd). A remote attacker who can access the telnet port of a targetmachine could log in as root without requiring a password. (CVE-2007-0956)

Note that the krb5 telnet daemon is not enabled by default in any versionof Red Hat Enterprise Linux. In addition, the default firewall rules blockremote access to the telnet port. This flaw does not affect the telnetdaemon distributed in the telnet-server package.

For users who have enabled the krb5 telnet daemon and have it accessibleremotely, this update should be applied immediately.

Whilst we are not aware at this time that the flaw is being activelyexploited, we have confirmed that the flaw is very easily exploitable.

This update also fixes two additional security issues:

Buffer overflows were found which affect the Kerberos KDC and the kadminserver daemon. A remote attacker who can access the KDC could exploit thisbug to run arbitrary code with the privileges of the KDC or kadmin serverprocesses. (CVE-2007-0957)

A double-free flaw was found in the GSSAPI library used by the kadminserver daemon. Red Hat Enterprise Linux 4 and 5 contain checks withinglibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux4 and 5 successful exploitation of this issue can only lead to a denial ofservice. Applications which use this library in earlier releases of RedHat Enterprise Linux may also be affected. (CVE-2007-1216)

All users are advised to update to these erratum packages which contain abackported fix to correct these issues.

Red Hat would like to thank MIT and iDefense for reporting thesevulnerabilities.

4. Solution:

The krb5 telnet daemon is an xinetd service. You can determine if krb5telnetd is enabled with the command:

/sbin/chkconfig --list krb5-telnet

The output of this command will be "krb5-telnet on" if krb5 telnet isenabled. krb5 telnet daemon can be immediately disabled with the command:

/sbin/chkconfig krb5-telnet off

Before applying this update, make sure that all previously-releasederrata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available athttp://kbase.redhat.com/faq/FAQ_58_10188